FTC Leads Renewed Enforcement Focus on Payment Processors
Complaints alleging widespread institutional failures in controlling fraudulent payment processing activity; rogue merchants charging consumer accounts thousands of dollars based on dubious or nonexistent authorizations; and consent orders stipulating seven-figure fines, restitution, and compliance measures.
Is it 2013 again, and is Operation Chokepoint back in full swing? Actually it's still 2020, but the FTC has apparently taken up the mantle (or should that be the ligature?) of both federal bank regulators and the DOJ in clamping down on payment processing for high-risk merchants.
"Payment processors who help scammers steal people's money are a scourge on the financial system," said Andrew Smith, Director of the FTC's Bureau of Consumer Protection. "When we find fraud, we are committed to rooting out payment processors and other companies who actively facilitate and support these fraudulent schemes." Read the FTC's press release here.
FTC Consent Orders
In the past two months, the FTC has entered into consent orders with three payment processors to settle claims of unfair or deceptive acts or practices violating Section 5 of the FTC Act, and violations of the Telemarketing Sales Rule (TSR).
The first, with First Data Merchant Services (FDMS), imposes numerous due diligence and oversight requirements on FDMS with respect to its wholesale independent sales agents (ISOs) and their merchant clients, as well as certain high-risk merchants, and requires FDMS to pay a $40 million fine. FDMS must also obtain annual third-party assessments of its wholesale ISO oversight program for the next three years. A former FDMS executive, Chi "Vincent" Ko also entered into a consent order effectively banning him from further participation in payment processing activities for high-risk merchants, and requiring him to pay a $270,000 fine. (See the full complaint here.)
The second, with QualPay, imposes a permanent injunction on QualPay from acting as an ISO or sales agent for any business coaching program or money making scheme, and requires QualPay to follow screening and monitoring measures for merchant clients processing more than 25 percent of its transactions as card-not-present. QualPay also agrees to pay a fine of nearly $47 million, which is suspended due to QualPay's inability to pay. (See the full complaint here.)
The third, with Madera Merchant Services, permanently enjoins the company and its individual principals from engaging in payment processing activity and from violating the TSR and the Ohio Consumer Sales Practices Act. It also imposes a fine of nearly $9 million on the defendants.
Lessons From FTC Actions
Some of the key takeaways from the recent flurry of actions are similar to those from the 2013 Chokepoint cases. For example, the FDMS and QualPay actions allege a consistent pattern of failing to adhere to their own underwriting and monitoring standards, as well as those of their acquiring bank, in their eagerness to secure the high margins and revenue brought in by high-risk merchants and ISOs desperate for a payment processor.
Red flags such as inconsistent information within applications, merchants clearly doing business in an industry designated as high-risk by payment networks, and high chargeback/refund rates were ignored, in many cases after being repeatedly brought up by the risk department. Even when concerns were raised by processor and bank representatives with the ISO or merchant, the latter were then left free to continue without making any changes to their practices.
Participants in the payment processing industry should pay close attention to these additional takeaways from these most recent complaints and settlements:
- In contrast to most of the Chokepoint payment processing actions, which generally dealt with ACH debits as well as remotely created checks and remotely created payment orders, the FDMS and QualPay actions relate to card payment processing activity. Regulator actions against card processors and ISOs are relatively rare, presumably due to due diligence and oversight required by acquiring banks and networks. The FDMS and QualPay actions make clear that the FTC expects ISOs and payment processors to strictly comply with the merchant underwriting standards and fraud and chargeback monitoring rules of their acquiring banks and card networks.
- Similarly, acquiring banks and card networks should take note of the Chokepoint-esque nature of these consent orders and ensure that they are effectively monitoring and overseeing the payment activities of their payment processors, ISOs and merchants, and managing the associated risk both to themselves as well as to consumers.
- The FTC alludes to payment processors' lack of incentive to manage fraudulent and unauthorized transactions given that they receive transaction fees in either case – in fact, chargeback fees are generally much higher than authorization and settlement fees. The magnitude of the settlement (far more than the Chokepoint cases) and the remedial action sought in all three cases show that the FTC intends to redress the balance in favor of processing for legitimate merchants.
As DWT helps financial institutions and payment processors navigate these risks, we will continue to closely monitor the FTC's activity.